Ponemon Study: Healthcare Aware of Security Threats, But Not Really Ready for Them

DArcyGueBy D’Arcy Gue, Director of Industry Relations, Phoenix Health Systems – a division of Medsphere Systems
Twitter – @DarcyGue

You may be suffering from IT security fatigue at this point, for which I offer a half-hearted apology.

Yes, only half-hearted, because the numbers say healthcare is aware of various security threats but still remains vulnerable, making it imperative that the subject stay top of mind until patient data is reliably protected.

For example, the Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data, published earlier this month, offers interesting perspectives on both healthcare organizations and business associates.

For this ID Experts-sponsored study, The Ponemon Institute engaged 91 covered entities (health plans, healthcare clearinghouses, healthcare providers) and 84 business associates (BAs) like healthcare IT companies. Given that business associates often have access to patient data, it’s appropriate that this study and future research projects include partners not involved in actual provision of care.

A review of the Benchmark Study reveals some overarching themes and messages that may prove valuable to healthcare providers and business associates.

Data breaches are common and happening more frequently.
You know this already, right? Probably, but the frequency suggests that only the really big breaches make it into the healthcare IT press.

In the last two years, 89 percent of healthcare organizations and 61 percent of BAs experienced at least one breach that resulted in a loss of patient data. In that same time period, 45 percent of healthcare organizations had more than five breaches and 28 percent of BAs had more than two.

“The annual economic impact of a data breach has risen over the past six years, as has the frequency of data breaches,” the report reads. “Criminal attacks and internal threats are the leading cause of data breaches.”

Employees are both your strongest asset and greatest liability.
How do your employees at all levels feel about working there? How well trained are they in all aspects of their jobs? Are you aware of any particularly disgruntled employees?

Where once these were primarily questions for human resources, now they are highly relevant to the security of your operation.

When asked what type of security incident they most fear, a majority of both healthcare organizations (69 percent) and BAs (53 percent) identified employee negligence and carelessness.

These percentages remain roughly the same as last year, even while the most common cause of data breaches with healthcare organizations—fully 50 percent—is criminal attacks. Among BAs, an unintentional employee action (55 percent) is still the manner by which patient data is most often compromised.

What may provide some comfort for both healthcare organizations and BAs is that a malicious insider (13 and 6 percent, respectively) is not often the cause of lost patient information.

While concerns about employee carelessness might be more statistically relevant for BAs than healthcare organizations, in both entities the gap between negligence and malice represents an opportunity to make employees the first and most effective line of defense.

Indeed, for most BAs (58 percent), data breaches were discovered by employees. On the healthcare organization side, audits (74 percent) most often received credit for data breach recognition, with employee detection second at 47 percent.

Healthcare organizations and BAs recognize that employees are essential to better security. Both entities said better training, as well as more effective policies and procedures, were the most effective way to combat loss of patient data.

Data security spending and organizational preparation are still not where they need to be.

All of healthcare IT is aware of cyberattacks and the potential danger of losing patient data, and yet IT budgets remain stuck. Among healthcare organizations, 62 percent say their budget for incident response has either decreased (10 percent) or stayed the same (52 percent).

There remains a gap, Ponemon says, between awareness and funding.

“Recent big healthcare data breaches have increased the healthcare industry’s awareness of the growing threats to patient data, resulting in more focus on their security practices and implementing the appropriate policies and procedures, however the research indicates that it is not enough to curtail or minimize data breaches. According to the findings, half of these organizations still don’t have the people or the budget to detect or manage data breaches.”

Perhaps most disconcerting is that while 60 percent of healthcare organizations and 54 percent of BAs assess their organizational vulnerabilities, the overwhelming majority do so on either an annual (41 and 35 percent, respectively) or ad hoc (43 and 35 percent) basis.

Data breach insurance is becoming a standard part of providing healthcare.
The information on data breach insurance from the Ponemon study is interesting and somewhat curious. In the study group, one-third of healthcare organizations and 29 percent of BAs are insured against data breaches and cyberattacks. Of that group, a majority of both healthcare organizations (57 percent) and BAs (52 percent) purchased up to $5 million in coverage.

What do these numbers say about healthcare and preparation for cyberattacks? For one thing, we know that healthcare organizations and BAs are both concerned about liability; the coverage most frequently provided (just north of 70 percent for both groups) by the selected data breach policies is legal defense.

Other than that, it’s hard to draw any definitive conclusions based on the figures alone. On an individual basis, some organizations may find it more affordable to insure than fully prepare. Others may pursue both strategies.

It does seem clear that most of healthcare is under no illusions about how well prepared the industry is for hackers and cyberattacks. When asked why healthcare has a bullseye on its back, healthcare organization respondents said quite clearly that the industry is not doing enough, offering these perspectives:

  • 51 percent: Healthcare organizations are not vigilant in ensuring their partners and other third parties protect patient information.
  • 44 percent: Healthcare organizations are not hiring enough skilled IT security practitioners.
  • 41 percent: Healthcare organizations are not investing in technologies to mitigate a data breach.

The rise in cyberattacks puts many healthcare organizations in a difficult spot. Millions have already been spent on IT systems and security, and in many ways and for many providers, it simply isn’t enough. Insurance is one way to guard against disaster, but more successful attacks will lead to higher premiums, making vigilance and adequate preparation the only realistic option.

This article was originally published on Medsphere and is republished here with permission.